86648c521561c256143da24298fdb44ec2a3354eb6eee2c9bb3612312b8f5632

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09ab90191c3efe3b9ff04dcc0801220N.exe
Size

1.3MB
MD5

f09ab90191c3efe3b9ff04dcc0801220
SHA1

1abaca481fc42dd0fc8690c5bf9cff3df2f8d7c6
SHA256

86648c521561c256143da24298fdb44ec2a3354eb6eee2c9bb3612312b8f5632
SHA512

55dbbb741ebf897cfdcac645b2aad107ea98e77109bbec9d61d93976f1f485b9ed3d5130ab051aba848e4b190f35ae2d05d0ebb66981345b50dcbbf0a0d6b5e4
SSDEEP

12288:7utu7Hw1KS+kj2s+7u3bVa3w6LXLXkWUKElgYwKz:7uMyKS+w3U3pb4WUKEjf

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1664	alg.exe
3248	DiagnosticsHub.StandardCollector.Service.exe
3856	fxssvc.exe
1064	elevation_service.exe
4904	elevation_service.exe
2016	maintenanceservice.exe
3348	msdtc.exe
4844	OSE.EXE
1976	PerceptionSimulationService.exe
1920	perfhost.exe
3124	locator.exe
636	SensorDataService.exe
1520	snmptrap.exe
2528	spectrum.exe
1924	ssh-agent.exe
2404	TieringEngineService.exe
4148	AgentService.exe
4816	vds.exe
2216	vssvc.exe
2424	wbengine.exe
4740	WmiApSrv.exe
3352	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aabd5a0a2dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\System32\alg.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\locator.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\java.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaw.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f09ab90191c3efe3b9ff04dcc0801220N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f09ab90191c3efe3b9ff04dcc0801220N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058d94cc29802db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036792bc29802db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008040f2c19802db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044f002c29802db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000621286c29802db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015a113c29802db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b245c29802db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
2512	f09ab90191c3efe3b9ff04dcc0801220N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
Token: SeAuditPrivilege	3856	fxssvc.exe
Token: SeRestorePrivilege	2404	TieringEngineService.exe
Token: SeManageVolumePrivilege	2404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4148	AgentService.exe
Token: SeBackupPrivilege	2216	vssvc.exe
Token: SeRestorePrivilege	2216	vssvc.exe
Token: SeAuditPrivilege	2216	vssvc.exe
Token: SeBackupPrivilege	2424	wbengine.exe
Token: SeRestorePrivilege	2424	wbengine.exe
Token: SeSecurityPrivilege	2424	wbengine.exe
Token: 33	3352	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeDebugPrivilege	2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
Token: SeDebugPrivilege	2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
Token: SeDebugPrivilege	2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
Token: SeDebugPrivilege	2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
Token: SeDebugPrivilege	2512	f09ab90191c3efe3b9ff04dcc0801220N.exe
Token: SeDebugPrivilege	1664	alg.exe
Token: SeDebugPrivilege	1664	alg.exe
Token: SeDebugPrivilege	1664	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1956	3352	SearchIndexer.exe	112
PID 3352 wrote to memory of 1956	3352	SearchIndexer.exe	112
PID 3352 wrote to memory of 3264	3352	SearchIndexer.exe	113
PID 3352 wrote to memory of 3264	3352	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f09ab90191c3efe3b9ff04dcc0801220N.exe
"C:\Users\Admin\AppData\Local\Temp\f09ab90191c3efe3b9ff04dcc0801220N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4124

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1956
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
664ee9c90e0c1f90da003a3dc7761e91

SHA1
e03c8aced7e93716edefe65b81375835bde09439

SHA256
869d8a564807727e1569f931dba028be56e0b65d89cfd82c86f5c30f13344ce9

SHA512
467edba3897a7d559a3caaeb8c5699a51e400c6f0b4c94e981d8c77b8f40ffb4711854df20d32e74825a801a4b510d6446607a8d94ff727291ab4f9cc7238b6a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d6d8a32c3fddac5995fa3c28041414c3

SHA1
7e2c417f1620c0e8d4fdd743e6bf1e568f183d78

SHA256
d3a51cccca783233110e5144465840b1a17cbac8f75b83901d19100949bb4751

SHA512
ed34c46be8725ca13c22d2dd00799e46c55fd824961b1085ad3c12dafc99c6c1b62f54a7dfe6e30fc89059e49cb81f2ccedddb1943eb852c2159408a61cf83fe

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
d4abe2d25bdc58368cf0787610453b74

SHA1
3503f13d541c866622234784b59e51e3f8de3c6e

SHA256
d04a856fd9c690c82bc443f7a2258ca38be03df880c76c67d5f52bdeca76e532

SHA512
dc220f3710ffad3d8d9dbeef85bcacfa38b69866745073d99d20ef5fb5e2565938e6876d8713e9197c51277646b56af44f90c7fe31c7ce8bf9df21b069bbc7f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
045f2b7d4e84da563161c9d8742bbfa2

SHA1
cf37c21b49b8578fdd03eb978bb53899a25595e9

SHA256
bed61a752db8d7f60e27270d20e7b40561708a4512e5de1738bd2b0fa634493c

SHA512
f9ee75d4046279d597677a0cd3741bbadf0922ed0706cb83525521d7840c810b7606f933f9798c5e8ff1aaeff52b245057b665b0aee01324c363367012736988

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
55fee29d113848fb2ef353b7fd0d9a60

SHA1
6f1569d3b9a48fcfad0b438babdb508c12cf1e45

SHA256
ecdaa502cbec1c14bb86cc321c1f7bcbb25ad0fc0e716a9d6c23b287124c628c

SHA512
fbb11ef4de71298da0a79fd6ae320a5da128460d6287c2469f51046f5a43ce60980ca0bc28bf9729c1af95d08b3419eff58455317e033ef95dc2891671b43df7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
af23884a54b71e005a85a91445ba5099

SHA1
45410daa11a9a9b3505017a7e0c12a5e4dc6bb67

SHA256
6be0c6364efecde433bd7a0d3160b9d69f024def33ca3f2600cccf7fc70ac977

SHA512
fa0a0608de55734684de11ebd31c914d5ba27f76ad3f8b06bd4db49de60ea53f05fe7868fb509d46d55a88c65c7a92bf2b22d7229b4157832c0fd490eee8859e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b4f2e58942ca7bca8b305a061ecfc946

SHA1
bf58e7981e83b38962943ec6c11e6adfa9cc75f7

SHA256
eaabe21d3a1ae7d2e5af518aedc6d2b4e6a073758002335cc5f1330c447458bf

SHA512
0a28f97367c4b0148aa8b3156161097cf140374f7a361a0c8e8ec333b27f2c92f151669ff9c44afc382084df76c29678a1e663cf65acf241416f98ad20e0077f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7c25ce16b4c0554255bc6aee45914d90

SHA1
03e4e6667fb3d936a75946139447c0922f190d2c

SHA256
0b8839ddfe3f52a38a06761647110880fcfd9d8b426895d20f0bde6dceb19552

SHA512
649cd3e624b1ed4789761ecfe61f1874d59433f71eb7b4e42ab9f8117ec19f660b150b2818244bc6170ae7920ed8a0dd87b640a7a1e96701475d596005976bd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
47e8136ea4ae4113962ab06ea8ff0472

SHA1
b4c6c553c7e15db154f1a9c68a92dbe31746012c

SHA256
46268797c33d4aafd45c9caccc420c758cc0245d9267c5d30fd90b00ab0078b7

SHA512
ce61933523975028a7ee52b1c09b6c950618a04c8beffdf2ed91106bc60776101030aca131df18736b705ed2768e8e1287b6f6b90b78d643b7043495a7cf689c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
65d84e6b7b526eb72c2bd45da48591ee

SHA1
260d6589e32e5f34b0e9bfe0442fcdc411a925e6

SHA256
f2878ae3a43ee4a8ba3da4990520d769638f2e8df4a2c2260dbc11107b05f264

SHA512
19af8bbcd00b58c7096e531dd86eef1a81e1fb4bac769dde72b8a840650d77b73bee5d07fab89c30d3a56ba645bd5f77d6da22e0f95856461c79e217289ae5c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
014b375c88a06456af5de8acfda6fc1e

SHA1
6ba322caa31ab603f2b268dd36425a3a9599fc62

SHA256
d264d2f106eb8b074894d59f7716dec99911512781e2694991c216a6b489ff77

SHA512
9581344ce50fdd3ddf6b30b5158d1eddbb776d400dab108c4f15457589380fe89ad60a6f8e7b54d033e5e853dcd6b01a8d4b130430b38c0d51638acdfc6881f3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e027473bf82b2d46be9b80742b92b16c

SHA1
26fe54b0df9b5bf43c71471c7a97736bae802366

SHA256
afa801d5a2c7f007eb239f02aae27a02b18457ed4586d92656bc5644b48ccf7b

SHA512
b6f6b0496c6ab0f1ff415ce9d46306fe08516dcb41dfe0752a6f7767b9cb44580f4cecc8cf4ee37aa7a7a15c007ffb9be95d3517c25c29c1a47852193c6febe0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
5496beb79ff86e894cb25f6ebf027fe7

SHA1
10c019e98e2968bb8f24b901830a600ba4997c52

SHA256
69f6b5b021b7f560a522b1d77671a572b5d587b1a6242afccf9af7fefb3f697e

SHA512
f4bd0eadedb364a8ff71ecf6ba09c767d4d4c400cf6aea297e55075951fa87811c0f65d2f4f0a238bd224120ef6de7a3c02ac911d6bca3c6e7dbd7284d78cfac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
61f1e7a8c121d029aa5139df24e8f383

SHA1
568f8358311f5a7fa9b160887174d69dc15acbf8

SHA256
c2587430a7399f642b3185a727154c8549fc7639cdc8fe4e9c483bfac95d75f5

SHA512
5996b6dc47dc76dd4038be819bff0baf830739d7fb778e6c173ffeb4754e5f4f56fe0ba94ce43bf6851ec9293c56d50ea06e8c7fa03437263ceffbeb175b08d5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a5d4bd66170109f24fcb76e06c6588af

SHA1
2100621a78abb21f104c57ceae57056e2092746e

SHA256
962c6daaf5721aa11f28878f8434ed58a1c14839bf2312587368b4f39cefe1a4

SHA512
ccaa1cf3911a65ea1ecd814d73a06929bf8e210a8496e8e12c470e440df50175c6e11e7f5b4832263bc9c63188cf38c0b73d466d437fd28bdc11ddd695670ac0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
45c18e2446db1a2284317ce04ef19a38

SHA1
dd60b82f190004116359d5786baa777d704ed831

SHA256
c4e00d38bc098b36245d7616bc1a54a8ee2cdac6b55980ea132704229e0e99b3

SHA512
c694abed793f0b0a339538534926499cc745c5d6553c8e5b3be67b9381d8d907ac040ca057097edd0265b4e0668013bf3efddd6f244c7a3e360e44d949976606

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
337aa7fa84c8c79134157d46067b519a

SHA1
c191c88487d404832c7d3df2579edb2c0692fd6b

SHA256
df5f65d6155e4eb56e004ea8ff68a46fdb9b3ce57b07bf581ab34fa07a812fa1

SHA512
78396d55dc69d472f1e71f831631215cac68bf2df1ee9b706173ae931d5ce8511b67a1908f1a71670011c1aba697a89d788672adebf8c37ca2db219f443f07ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
290da2d14b376220e91cbdbab1ad26af

SHA1
c39332f1b18279057f5c975dff8113f647b98086

SHA256
0772a94a122e81430e9c04eca70ad4f956b82ccd1047766f88506fc07f616495

SHA512
70fa1986afc477e9f798e3e281184b416a3ea07b4d0e5831eb33b8505411cb43dabee8a64f8c1ddc61ee3a5aa106a87b9c898e95db3a50f23237f12acd06d0e3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
5c393449e8acc54a4fda323a860726d7

SHA1
9fc555317ead7579b0de713479a95acddaf65531

SHA256
2dd9ec4147e670bf5630e44faeebb3f3a792c0a3464b4e6dba9d115be7c22e88

SHA512
65fb369f05f51b2e7d3ebe6a27673cf3ab84f4754b05c541a64e1daa51772e43dfc1b42ffda9091feaee6975182b5b0edbe5d40cf0695152a4a53c12867e954e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3288c89adffd2ee6e0a297f4adc27364

SHA1
6d5865f248e3fe2a83d5c44e109d371afc36ec53

SHA256
7e95c977dd5d7469e2864260293e1194cdc5bd0020a0590d035477acf6756e4b

SHA512
558bef374b158b786f6177634480f5ce2ec0755eb20d40a0299cab49e78184f4e538e431581d1851de7312252eeddbaf44e9989431824f9786448f706203d6eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
3762bc4cf83bb4cce0f25b5093c36a30

SHA1
bfb973392627b2f942223d6ca548835352c35ea5

SHA256
0428cec7c5ac4ca3ad14f571412a60e427548d1fa9e853a7990863caa41969e6

SHA512
ec3d708ff9c3750fd686ed8216f523ba81c0d59f46bec36aa0b99dc90fac2af408e79723598318a315451094f43d11cda655094ac4ab59135d0903a2f6d1a5e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
1b8120648987e1ab8f6ce65727a4fe2c

SHA1
bdfb444ecdb64094b3ef7917d717163b3a06ba6b

SHA256
290522cfc249a466928c932e47932d9a06a59f2d295ecd7201bb46a0d363812a

SHA512
9acf03af6a48feaac7eb81a610d105f11d8fa234203df5f44335af50b4f49c7427a9df06026919a2db86d2b8e5086b6e4544a72d39f8c85029f990325b6ca532

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
22c9eeeb3d58f28392936d3a5a59e0a4

SHA1
dd74b9443cf4fe302fe108e1779f0078d8b026e8

SHA256
a20028065f06669dc601f70fdca045d6f7c13506c81a8b1d5e2efde70e340507

SHA512
73829882e2209bb45644456e9328e67ab6c3140d32199fe8e510687dccd7273f73ab312d11f126de1cde66d4279839a6e75319ac9ebffdacd6cceb9288018bcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
5be45431e0b28ab822b3e56910bc95cd

SHA1
11b5758f2c67ac156b11b1cd183aa062db0cef84

SHA256
bc83e24ac00310e4cfe1172ff316efbf131aa688ad3730e51a583672b66db36a

SHA512
04247b95d4f9ba5a02589a1c6310183d54a0e46bc4697ad96388248cc08a8cfaff97b742accbd2f084df98bb06d6482c9ada7de006e9bcc3df610c547ae3b9c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
393947e45231925a61fef407562903bc

SHA1
79d8f2ec9f0d11e8ce7bda6fb798fb3b875af90b

SHA256
cb9bd9cfff5f5c2eacb260449610725d3603a139319b7230903d5c7e28aae450

SHA512
06f959d7ca59238f05fefaee784eb7f0e9325f270049b33d3342e8fbd49a3943b00b0eb5cc47e007bd5fd5832432ba9b3eb9ad00bddb5ab433da6f5d1db3a190

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ebc8dc467ad961acdf415d706edb44e1

SHA1
62428690e4291c78a38ad69f2db432d44863fbcd

SHA256
7e536e18e14dad3afe6cb4667cd744d17c8b03fe9dd022963391519a8350f5d0

SHA512
27093b3dfb1bd25ba8956633fb43bf96d904b1ea2bd9b3c723c5744b58d7648f09bc352bd66355925d732da2153506160231288cbbe9f6c61e2f02ce857356da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b9e3c98814923b37c5105cd9f9c83743

SHA1
e61bba9d9b3173da39a45c19e065040af375bb84

SHA256
8499ab9661db02ab70af04cfb51792fe68e93d474b4eb1bef76513bad0935816

SHA512
639a1a7ec183ad78be73f6372983f33b887661dc4790947f3220bb35cdcb621ce52462d5c8e6fc3e2be6b863d83a589c638d3eb1b0f2bbca34066cde9d267338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
a5ce7d8ca836192384bc0ad204821bdd

SHA1
8504760931ab86e23d55da0ab61768b6db606679

SHA256
6b869b0bbe99d33f9c7c8571408b313533cb55e2b87a24652c4fc51f260cae5f

SHA512
61d40640735485e764720ac93a8a0c2cde95ef22a851f023b4ab0e5497c76fb254cf1872e25cdca630273e3af0aaf7f1f211d113c6e7c13a30c71c1de3177ae3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9fee47d6072c5c6b0c00efa8880f34a2

SHA1
83b3ed2393db146752743ea7a95e6dca1c16f63d

SHA256
8c1267ccb54d04292a3a4adac9a6c2a3af83ffb5b7c9fb363ef7eb88cb7e0883

SHA512
5d1890ffc73c9487294c3973b69d501ac22b9db68780cc15854c5d4de8cab0d72cbafd7ffa77ee7ffa0a876b9479cf98ab0d7cee8db29940eb39a84f2f6c03e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b74e73667786fed88e1a88785c7c06bd

SHA1
3e3992a19488c76befb8c7ebb146f218f70ed3dd

SHA256
71956a105725e1ecb8605351f1928c12ccbf5b06af988bc11773f594958ebd9e

SHA512
cc24d00891b01c4d95fd69da19c24b5589f5dfc93c4ae05d52bbfa0d7d7c71eb91d26f41d4adc453eb66673a1b113f8cb966ab648bf7c6ed24aa6618b8acdc95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
9a19ab4d3fc84d31c0419312a05e4292

SHA1
b832df424855aa43de0ca4ca4464972bde6694e7

SHA256
b5ce9ce5f75ae7d05dddfc07c591003eebd7ae6725e1ca0425fa3e44514d2415

SHA512
810edd771efbf8dafcec82c8b394121f2acdb081bc09c627784b65e6e956ab86313d412298ddc75eebf7ff62e367fb09e8e50c8afb80b98b6d4c97bf3a7eadea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
0ddb001042d0a18c3cf564767b4084a1

SHA1
81ffec07851f1cbcbfea55fce800d1cb98b12e23

SHA256
78a8df3844ebe0e502ab2c6b109f80d8b9ba9f5043b913cc824fd242164e0bc4

SHA512
075cfea41d595a487dc0369eddf708802508b13d7981898874825a39cdcbff1281dcffebbb0e5d5b9c6e342a2f5a426bce13d0bccae6d33fce74492bf93d0fb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b3e895d82b0ec6805511078b76f74aff

SHA1
46e02e44130eaf98c4117abf2f236faaa36dd551

SHA256
29ca9b9bd129c859ea8dad903d08fa9f6f0b3bb7bf7d78cb8a2d634aa7e62c40

SHA512
011f91aa07233249c43929a1d77e3140052013b547f61310281644dddab6d317beda0134b2aebc59a70afa1040e0c19d58c7987901f2966eea01431083dcecd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
5230b9624daca04dc5afa9e5d5f5ef78

SHA1
18c0fdb6cc6d15037b820e5d96f35423d8e64f24

SHA256
0f27297f4aa1d3d31c810fc60be9b7cead252eb3ddd7744d0596bdad7b5fd3aa

SHA512
64a3777c2231caa46decf791282cce6b64ae2421a2420ed0e4615b4d2e698421794e4833cc32d8e56a08351eee7f6b7ba3723b55649c94bd3ef8c938c27ef836

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
6fb86adcbc18df3e93250a39467a668c

SHA1
70663e66e269fdd1c02cb01df836d33fa53a402d

SHA256
26df0bbb224284d4faf0fe4b36d7a8acb303725606d62ebe931b3692fce05284

SHA512
b3de157ef0dca4ec94d63c5777e14bcd6c28b3e8926ddf103b458530544fdaee9018b29771111cd88d4f9d4ec6abb712f5d320a9c85c057ee40ec6c25881614e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
57dfebc299dfc8e8fa23cba34c96cfbe

SHA1
cb947424bfd6e2dc32f3b08ad04e51b78650dffa

SHA256
0986d35a1f69a01f4fa7ae4f8f2ec021f8fd58ab8a830370c956acd6296aaa06

SHA512
4474b0b52f828f6e65b8a0b1887f45152622888c044e651277be5030119b180d39311b5c004266972deeab4b7fb0a3ef4ac6c1ceaee2413a78ba80844d7d567d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4d92e1f6a711349ad515261bb8b6235e

SHA1
63b844b6611b2e415ce7c5d803837b50f08f04a9

SHA256
9edac7446b2ef1811817ab026d7db2fcdbae3efe659eb61447abdcd0feae35dc

SHA512
20001d7ee0ee81892fab01481f1a32e19a1fef4291986fda4adeb6b543ab915a8b3121ca36b48e6416d6f9e0b62d529d4e839636f497db6e23c9af216edbbe23

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
88a2d50394a9619c39974c114e4a2ab2

SHA1
c1c5b85527361c8337298cbe2b4fe965a377992d

SHA256
f91ff1f8390c6864f487bd7a3040dd053b69c46bb88b6bbb355b9538e8f11e4c

SHA512
194986773f16267f7f6a41db482732002575e6ce1324a6e16726feb3b8f7b2d0a47796e34d5034f900ee908e2b3e119a7bc6c4039dd0f647d9f51b8ff407896f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b8d0f442a26819150a8d3abd45537b94

SHA1
8f44966df5e917427c17324b8f2918793d4c38df

SHA256
354d4e157c646019257dca16be6b88766ecdc88dcedcd11edf2ff5ccd22efaf3

SHA512
79fee293439abb8e696e4ee194bf104ba4df3295fd4b03c0ffd55ff25b70fca28ec43e8f5b58e9830e03bcecf03d42742aeac401026339c0849d6beed1da5da8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3120187a0eed7e6a425af20ab06207aa

SHA1
cade515d731b3719edb0c101bd1a0dc73de9c563

SHA256
7bb7eac13cf903fe11d329c646cc8587aed33a02623534a31baa7117825d8be5

SHA512
f32cf63df54aa7d537a276ed25d647c7da0fd7792d5eb46e51a252bac768b426157aea88ef639714bb7d16a44ad032f959504d85f44e437136ea28119d60f1cc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
efb1a9982e5e669dd0216e4eab3a8507

SHA1
a46dc5b060028f571ce38ae0c2b44e56edfe0714

SHA256
d87212545c6f56e9cb998e919a684c0b554d7ffded2a4cec27f36ca9c3fc35b7

SHA512
09a9f200d9c4775b98979868a444b44b9c8d848bbd888be9dcd1dedea4e6b83750fe297d8a410fad967508b6035c37a15cdefa2a9f13eb5fba72c83e76c4bc40

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aab8c8242b0cc4e901a36efa3d43a478

SHA1
0f6fa14bbee292c2a2fa4e85e7d8470b7b5b3d41

SHA256
cb28c09ba7210e0f90fa1a0ce83408cb6daee6ff628fef958e48e3acbfa228e4

SHA512
ce41b231efe9debd4638db9cb2b2bcdd290bee7e7be560c1d168c4490d7f249308d4be4cafeae4849514c74f51337b8d0a7f86edcfd7ce6e62013c22b1878abf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d87e1d5fced584d361e236780061a2f7

SHA1
9dd356fbd238568cdb5724040f2f62155761a67f

SHA256
2bccfdceac0329b6143f6915ef724d352f10a7e2f4756bf4a0ce462bef2e2d77

SHA512
a161061d5980e6c64da84ffb7b7157694d97bbe70639410a758a80cc8bbee8c95643e088522717ff9ba775487f23c583753ce52d1a4e960896400399f01db3aa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dd7947c6fe80f0f4b700e401b21a9cd7

SHA1
5aa927dca5af34c425482c58191884ceb95fd849

SHA256
84edc16546507a326c264e6fb62fb565c0813e98676cd0cf31e93a4d30a681b7

SHA512
cc0108fdb505f66bdc720994b08eb7fe9e503593efee81f251acb7f48cf90e18061a5b2c889933e04f84753f50eaf275cd1cf6d3510df611c2e912eeb9e72cf9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f17eed376e33ae75c0fb5302baf202d9

SHA1
3201022712344da95d7b36871a1ae18dea51e8e6

SHA256
5aa5a18fb919a2285d49b483fb27741781394249ca28d541dfea2a284a356f51

SHA512
42456d0d9a94b8008b59b86e9f5f01cbd49d4598e6107418aa3e342ad096d8d9d9e6259a4bed6adb6cc8d38fc6be751c51f97d9edcf2ebdbe514eb95b3293602

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cd95d3a7a212be2e7744c7b7474d61ee

SHA1
9cee737fbca90e56829739aa62bab777606b431d

SHA256
a80064e9bcef8032e969918bf20aba33148a80bb21bea2f702bf5af6ca8ed91a

SHA512
70e9c2694055d625467263c972101cfc5d172c08369a68570e7b8da255ee6003092fd57a6918b44e56442c3841e46b19a33cdac3a515089494dc33b9ffdcd922

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
710a4d8909e73cbd80489aab55a1f824

SHA1
ba758344177a1e080a13e9de7419d2288e9d9fce

SHA256
bd91ef7b60075192e16ab38d5e3075f0b733d284358865c90d67124d5b1981c7

SHA512
687167d7c3839ad08779cbd6c6cf7485b98894d9daef1efaf5a0c92982bfb8c3d9515d37d0e711345d41e6eb906e5764c92e2a778539b73b2965824c71cdb89e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1b1ee53714a09e3cf75d5843db37e39d

SHA1
58a24a77a51c3a617490dbf005848ad3434f2d1d

SHA256
71f05e6a4ebabf0bec88bce68a0f5038e3d169d9b96a4370dece2b8938b42250

SHA512
7a8fdc605c9aea9a077c56e95405d1693769c7ca40c6bc738e29e237dacea8a984126901832baf906dab71546e14b654a140b7f71980ee4696ee678f649d67cf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d51addd79abeac1952a6ecca72d864cc

SHA1
f1ce1155a7ae5da0d9fa3b2bf1123fcde4514a62

SHA256
c1f0952ad05a9e8043e8040f8446fc2fa008228dbfec6d8a59bd12e07b5f9ac4

SHA512
4433058761b3af58677ee439e66c760ac3536cab4442531b1d6cc7a8cdf9ac32776d651a584c7012d242dd130082187302592cfc829bd1e69a4499f0b531fabb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f8bcd2879bbb970cc88345eeff52ed2e

SHA1
158567d398df87c472ca8825eda77c207562eb8b

SHA256
21eb2d023f2a6f309b12a1634e065583600029b14d8c1be4328fce75f74fc22f

SHA512
7ea33f855ea67800a5dfe7fe2d346d6f9939e7b79384ea374f0f9227aa57408fd6843ac70b3681c94cfd2652684f2652b40e9d4b3834fea49c063b3fd84bc5a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
807455727918d98279090806bab384e8

SHA1
66b2306f3b905039bed4d6263792f1fc1be40604

SHA256
ff68781a48c47d219fe18e2e31b810e9a32a9e71c27dcc2372c9228cd5026790

SHA512
c2d8d34292cdb983a866ebeea12146c065e3aab36f0eaf42a3db4c3621fc475001d309bbbcc84d8d403cf5eb6a880d7c27ae3713d5396351c83b98660f8331b5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
23581b071a7851c1727275af166c501b

SHA1
4265787ef549625c00dffea5ec394fdf4af2ce79

SHA256
8a9f8fba9127478eee39fb4c5aa12f552df52d6c46ed8380dc64fb72df1d11a0

SHA512
eeae3471bdd48dd194b9f72122a50875f6b78cdfbeb22026c7e5c9418773fd61ea9f3cf51f95b4620cd0b58473fc93d038b3931757f3f6318ea971a439dd6fbb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3f0e3a91bfd205a6c41638af57bb6497

SHA1
cbf0e65c267500e16f0a1910ac529035f647c63a

SHA256
5d96e6f6f4e861acb6e49958417d640780e4208490a7e73f5933ad9f813b5e98

SHA512
96c2b08d424789d12ec6bc064fe70726c813bbf49ff420c32444b8906a920d9c45e0823bea49aabcea82764a1fde8beb70aeb1abcccc9f05a3bcd86fd5eb8683

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
73fd6ac7d35c7117d0756752f11e99a5

SHA1
7b893e66e4ab5af66d92c48f9c014d1851f0db13

SHA256
f34bc76ecc7bd1513a7325b578688903b7e965a6e2ba794f9c031c266fa0f1d7

SHA512
0cb52c76ced6d8f87fa2bdb00cc3ee4a7c477008b2885229d6dc52e00c0201e9446c17c1aa9b2462cb5378b593f49d9e2ba72a656efb189530cde58c47dffb9f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
829cc7735a64dcc63e0f78d34dc1d292

SHA1
69351591ce7ca8ce1b5e3fbada796bcf4244160b

SHA256
89291e5a5f820c0e86dba6ab8130df4301e4137b6a2e39d27b18ee1afc0842ee

SHA512
eacde54e0f3f633a90a3bd20c88945fe543505cdb5a35c3021d5e83af070d06a029d84ff2aa4e91af551a831d2975c93056e173aa38cc91484580224ea57ce8e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2c70b97424bf137b7b5ea922a1bb9806

SHA1
badabd195c880e1079b79f0ae2b8d5a88d3a5524

SHA256
3b2ec71d57bdfa096b16b9b84965865abb903f0911b0b5b1e106420511df94f4

SHA512
f4cc2affe03ca976645a936d5ae5107e57395145fa8522b3e891367f009ded9d788ecd64504e5b8f354c3c30d7152c1d35759b61e2b5b319c796fbd06535e87f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cbc17b8d14e50af402cf81c645e14bca

SHA1
82b5eaf1dffc15a5ee7bb7c18a93d9bd911ada69

SHA256
2b0f33c8167206f3657902caa35e3f1c3645be953d906f0d96cd091b9ce95d20

SHA512
8b4a07271fc754730f8808429267e58a4af08071e4ff50a87f79187803ed101c9e53d8ba04be3c637b6fb6886297f73697d515f9d67e1022873606285dde56b8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
96e4412f798671399ad95a15f9d42054

SHA1
dc8ac6a9a9aede38a1af3a0401bea6478400b83e

SHA256
ad2e3bfa71fd5d30afb9b3e3b58b6bd15b23a5df6ca2546d658f98bb5307c578

SHA512
8cac4ca57d7436ebfd3b7f6b420acc7cfc6921ded5558ae14168f6ba243ea0c71e891950345e0213a20a31157d37ad4376c1d0c2343e047f8c75624a923d9759

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
38915eef4159f2c05f4574323e05a57e

SHA1
26bcd1211945de2f419e3770b19fb346bdb23b63

SHA256
4828c45785aa1e824c9df04abf440f12a8bc99ddcc0ae66542e10462b80a585d

SHA512
f4b14596a7c2e78631b57e345373638e77da5584eeace8de8660a54a01cc38634c2a663f34fe70a32a7e4c92f3c15cde76ec826f991078a5dec615a713727771

Download Submit
memory/636-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/636-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/636-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1064-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1064-53-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1064-163-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1064-47-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1520-374-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1520-152-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1664-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1664-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1664-109-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1664-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1920-238-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1920-126-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1924-177-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1924-454-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1976-226-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1976-123-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2016-84-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2016-81-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2016-86-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2016-72-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2016-78-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2216-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2216-501-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2404-464-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2404-188-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2424-505-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2424-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2512-6-0x0000000002480000-0x00000000024E6000-memory.dmp

Filesize
408KB

Download
memory/2512-1-0x0000000002480000-0x00000000024E6000-memory.dmp

Filesize
408KB

Download
memory/2512-80-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2512-0-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2528-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2528-164-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3124-135-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3124-250-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3248-33-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3248-31-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3248-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3348-199-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3348-89-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3348-88-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3352-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3352-509-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3856-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3856-43-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3856-37-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3856-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3856-57-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4148-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4148-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4740-259-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4740-506-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4816-500-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4816-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4844-214-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4844-110-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4904-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4904-175-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4904-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4904-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download